IS Governance, Risk and Compliance (GRC) Manager

First Quality was founded in 1989 and has grown to be a global privately held company with over 4,000 employees. Its corporate offices are located in Great Neck, New York, with manufacturing facilities and offices in Pennsylvania, South Carolina, Georgia, and Canada. First Quality is a diversified family of companies manufacturing consumer products ranging from Absorbent Hygiene (adult incontinence, feminine care, and baby care), Tissue (bath and towel), and Industrial (print and packaging materials), serving institutional and retail markets throughout the world. First Quality focuses on private label and branded product lines.

We are seeking an IS GRC Manager for our First Quality Enterprise working remotely. This position will be responsible for the development, delivery, and continuous improvement of First Quality’s Information Security GRC Program across First Quality Enterprises. The Manager will lead the development, execution, and continuous improvement of an innovative, trusted, and ever-evolving Information Security Governance, Risk, and Compliance program. This program is responsible for the protection of people and data within the company, including the protection of information assets, alignment with organizational goals, and compliance with applicable regulations and standards.

Primary responsibilities include:

The Manager will work closely with the Senior Manager of Information Security GRC to execute the security GRC program and drive key initiatives. The individual will oversee a team of security professionals and will be responsible for the main pillars of the GRC program, which are Governance, Enterprise Risk Management, Compliance, and Continuous Monitoring and Improvement.

• Lead and manage the company’s Data Governance Program, ensuring compliance with regulatory requirements, data security policies, and industry-wide best practices for data integrity, classification, protection, and lifecycle management.
• Develop, implement, and maintain Information Security policies, standards, and procedures.
• Oversee the enterprise wide IS Security Awareness Program which includes phishing simulations, computer-based training, proactive communications on latest threats, workshops, and newsletters.
• Ensure the GRC team is properly engaged during incidents and events that include potential HIPAA and other data breaches, data leakage, brand reputational risks, malware propagation, system compromises, etc.
• Promote a security mindset through enterprise and functional team specific presentations and initiatives.

Enterprise Risk Management                                            

• Perform annual Enterprise Technology Risk Assessments and other assessments such as benchmarking and health checks against industry standard frameworks.
• Manage and assist personnel responsible with GRC risk and control audits and assessments to ensure systems and applications (on-prem and in the cloud) are complying with First Quality policies, applicable regulatory and legal requirements, and leading industry frameworks and practices.
• Manage the Information Security Risk Management Program to identify, track and remediate identified security gaps, misconfigurations and vulnerabilities across multiple sources. .
• Mature the Information Security Risk Management Program by managing the IS risk register and ensuring appropriate risk management strategies are in place and followed up on. 
• Oversee the company’s Third-Party Risk Management function and ensure there is continuous improvement and evolution based off industry standards and current attack vectors.
• Aid in the continuous Cyber Business Impact Analysis (CBIAs) process to determine the overall confidentiality, integrity, and criticality of all systems and platforms, both existing and new.
• Participate in IT and business initiative projects to provide security requirements to ensure a secure by design implementation and identify and track any identified security risks.
• Meet with business stakeholders to quantify risks across the organization and maintain the top board level security risks.
• Develop and drive the implementation of security best practices and standards to mature the overall IS Risk Management Program which includes defining security system and application standards of control.

Compliance

• Provide GRC advisory services to the business (technical and non-technical) and function as a trusted advisor to ensure Information Security requirements and standards are implemented and appropriate risk mitigation strategies are implemented.  
• Liaise with key functional teams such as HR, IT, Digital Marketing, Finance, Internal Audit, Enterprise Risk, Quality, Office of General Counsel, and the Business to identify new applications and service providers in use and the associated security controls necessary to secure the data.
• Ensure compliance with HIPAA and applicable legal and regulatory requirements.

Continuous Monitoring and Improvement

• Regularly assess and enhance security policies, procedures, and frameworks to align with the industry best practices and the ever-evolving threat landscape.
• Ensure proactive identification and remediation of risk and vulnerabilities through regular assessments.
• Foster a culture of innovation and improvement within the team.
• Establish and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Data Governance Security Program and initiatives.

Miscellaneous

• Manage and further develop an existing team of GRC professionals.
• Conduct performance evaluations, coaching, and career development.

The ideal candidate should possess the following:

• Bachelor’s degree in Information Security, Computer Science, or related technology field.
• Minimum 7 years of experience in Information Security, IT Governance, Risk, or Compliance.
• CISSP, CISM, CRISC, or other relevant certifications preferred.
• Minimum 3 years of experience in a leadership or management role.
• Strong team leadership skills
• Experience managing audits, risk assessments, and compliance initiatives.
• Strong understanding of cybersecurity, risk management, and compliance concepts.
• Working understanding of key security technologies in IAM, endpoint protection, cloud security, networking etc.
• Strong knowledge of industry frameworks, especially NIST CSF, NIST 800-53 and NIST RMF.
• Experience with security awareness & training, policies & procedures creation, and contract reviews.
• Experience with DLP strategy formulation and tool rollouts.
• Excellent communication, negotiation, and presentation skills.
• Proven ability to work collaboratively across organizational teams.
• Familiarity with GRC and Incident Reporting tools such as OneTrust and ServiceNow.
• Experience with compliance or regulatory frameworks.

Estimated annual base salary range for this position is anticipated to be $150,000 - 170,000 + annual bonus.

Base pay is only part of our total compensation package, which also includes an attractive annual discretionary bonus and robust suite of employee benefits for which you are eligible to participate in starting on your first day of employment.

Base pay offered will be determined on an individualized basis and we will consider your location, experience, and other job-related factors.

First Quality is committed to protecting information under the care of First Quality Enterprises commensurate with leading industry standards and applicable regulations.  As such, First Quality provides at least annual training regarding data privacy and security to employees who, as a result of their role specifications, may come in to contact with sensitive data.

First Quality is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, sexual orientation, gender identification, or protected Veteran status.